Microsoft Warns of Large Spam Campaign Hitting Europe

Microsoft is warning about a large-scale spam campaign that is targeting European users by taking advance of an old Office exploit to send emails that contain malware in malicious Rich Text Format (RTF) attachments.

In a series of tweets sent from the Microsoft Security Intelligence team on Friday, researcher warned of the spam campaign found in malicious emails written in different European languages. By using the older exploit, referred to as CVE-2017-11882, attackers can automatically run malicious code without requiring user interaction, according to Microsoft.

First found in 2017, CVE-2017-11882 specifically targets Equation Editor, a feature found in older version of Office that has since been removed and replaced by Microsoft. This particular component allowed Office users to build complex equations within Office documents.

An active malware campaign using emails in European languages distributes RTF files that carry the CVE-2017-11882 exploit, which allows attackers to automatically run malicious code without requiring user interaction. pic.twitter.com/Ac6dYG9vvw

While Microsoft issued a patch for this particular vulnerability two years ago, company security researchers continue to see the exploit used in various attacks, with a significant increase over the last several weeks.

For instance, Cisco Talos researchers recently wrote about a series of cyberattacks called "Frankenstein" earlier this month, which refers to the attackers piecing together several different and unrelated open source components as part of the campaign. In this case, the attackers targeted victims using malicious documents that took advantage of the CVE-2017-11882 exploit.

Older Exploits Still Working

What makes this particular exploit troublesome is that its allows attackers to create RTF or Word documents that once opened by the victim, can automatically execute commands. From there, an attacker could take over an entire system if the user had administrative credentials.

"If the current user is logged on with administrative user rights, an attacker could take control of the affected system," according to Microsoft's original 2017 alert. "An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Users whose accounts are configured to have fewer user rights on the system could be less impacted than users who operate with administrative user rights."

In the current version of this attack, Microsoft researchers warn that once the malicious attachment is open by the user, the malware will attempt to run multiple scripts, including ones using VBScript, PowerShell and PHP, before attempting to download the payload.

This particular payload is a Trojan that looks to connect to a specific domain. By the time Microsoft issued its warning on Friday, however, the attackers took the malicious domain down. However, since attackers have been taking advantage of this particular exploit for the past two years, it's possible that they could pick-up this campaign at another point.

In an analysis of the original CVE-2017-11882 exploit in 2017, Palo Alto Networks' Unit 42 warned that attackers were likely to take advantage of this particular flaw for "years to come."

Overdue Patching

As part of its new warning, the Microsoft Security Intelligence team is urging companies that own older versions of Office that contain Equation Editor to apply that patch issued two years ago. An alternative is to disable Equation Editor if it's still in use.

If the patch is properly applied, attackers cannot take advantage of the exploits, and Microsoft has since removed Equation Editor from all newer version of Office due to a series of security problems with this particular component.

This is not the only patch that Microsoft has been issuing warnings about. Over the last month, the company, along with the U.S. National Security Agency, have warned users to update older Windows systems against BlueKeep, a vulnerability within the company's Remote Desktop Protocol service that could enable attackers to use a worm-like exploit to take over devices running unpatched older Windows operating systems (see: Researcher Posts Demo of BlueKeep Exploit of Windows Device).

About the Author

Ferguson is the managing editor for the news desk at Information Security Media Group. He's been covering the IT industry for more than 13 years. Before joining ISMG, Ferguson was editor-in-chief at eWEEK and director of audience development for InformationWeek. He's also written and edited for Light Reading, Security Now, Enterprise Cloud News, TU-Automotive, Dice Insights and DevOps.com.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;